Draft Cloud Computing Code of Practice released
by Joy Cottle, CloudCode Facilitator
 Six months ago the process kicked off to Develop a Code of Practice for Cloud Computing in NZ. NZCS was asked to facilitate the development on behalf of the broader industry and other stakeholders.
Since then more than 200 people have come together and contributed from various customer and market segments including government, private enterprise, finance, education and various authorities to help develop the Code of Practice. And now we're proud to release the draft CloudCode for consultation.
You can download the draft CloudCode here and the Consultation Document here.
Before continuing I'd really like to acknowledge and thank those who have contributed to the cost of the CloudCode once again. These are Equinox, Gen-i, OneNet, Webdrive and Xero as the major contributors plus Salesforce.com, Google, EOSS Online Ltd, InternetNZ, NZRise and Systems Advisory Services.
Our approach
The CloudCode is proactive, not prescriptive, based on what the industry is asking for both from a consumer and supplier perspective and more importantly a code of practice that is easily adopted by the providers and easily understood by the consumer.
New Zealand is one of the first internationally to develop such a code and is leading the way globally and there are many international eyes set on us right now to see the results of the work born from wide consultation and how we apply the code once it is finalised.
The future for the NZ cloud code is very positive, those that have already seen the document approve of its simplicity and ease of adoption for Cloud Service Providers but more importantly, the assistance and confidence such a code will provide the public.
Draft CloudCode released...
Now, the time has come: the Draft Code of Practice is ready to be released and we are seeking your feedback and opinions on the content of the code. All feedback is welcome and there are some specific areas that we are looking for comments on.
One of the areas is the actual approach of the code. Many of you who have been following the progress of the code will know that we have sought extensive consultation on what approach the code should take and most of this has been finalised, but there is one area of the approach that we want to look at a little more closely, the application of the disclosure requirements.
... but we need your feedback!
In the Consultation Document released with the draft CloudCode we've outlined 3 options on how the code could be applied. Should it only apply to providers where all of their offerings are compliant? Or is some enough? Or should the CloudCode apply to the products themselves rather than the provider?
Another topic for feedback is how the disclosure statements that are required under the code are provided. The Code states that the disclosures should be proactively made to all clients, both prospective and current, ie in advance rather than on demand. Obviously making these available via the cloud service providers website would be the first port of call for anyone looking for the disclosure statements, but would doing so cause issues?
The only part of The Code that is prescriptive is the security section. The Code adopts the Cloud Security Alliances' Security, Trust & Assurance Registry (STAR), requiring participants of the Cloud Code to join the registry. This is a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of providers they currently use or are considering contracting with. STAR was selected over various other security control standards because of its specificity for the Cloud Industry and relative ease of access to become registered.
Some other areas for feedback include the actual content of the disclosure statements: are they useful for cloud users? Are the areas of disclosure suitable for the code? Should the optional additional disclosure modules just be part of the required disclosures? Is there any area of cloud computing that has been missed? And whether or not you think the code of practice is accessible to a wide range of cloud providers?
All of the answers to these questions are vitally important to ensure the final code appropriate is for its audience and achieved its outcomes.
The ongoing governance of the code is another area of consultation that we are seeking feedback on, who do you think should oversee and champion the CloudCode - NZCS or someone else?
There is certainly a lot to think about and this really is a big deal. So take a look at the draft CloudCode - we really need your feedback.
You can download the draft CloudCode here and the Consultation Document here.
For more information please see http://www.nzcloudcode.org.nz/consultation/
Joy Cottle is the coordinator for the NZ CloudCode contracted by NZCS.
Next Article (A confession) »« Return to Contents
Contributed content is the opinion of the author only, and not necessarily the view of IITP.
| 
